KCMVP — Korea's Cryptographic Module Validation Programme

KCMVP, the Korean Cryptographic Module Validation Program, is South Korea’s national validation programme for cryptographic modules used by public institutions. It is distinct from Korea’s Common Criteria scheme (KECS) but is frequently tracked alongside CC certifications because both appear on security-product procurement lists.

Key facts

• Authorizing body: National Security Research Institute (NSR), under the National Intelligence Service (NIS)
• Country / region: Republic of Korea
• Year established: 2005
• Product types: cryptographic modules (software, hardware, firmware, hybrid) used in Korean public-sector systems
• CCRA status: KCMVP is not a CCRA scheme; Korea’s CC authorizing scheme is KECS (operated by IT Security Certification Center, ITSCC)
• Canonical portal: https://eng.nis.go.kr/EAF/1_7_2_1.do

Overview

KCMVP validates cryptographic modules against Korean standards (KS X ISO/IEC 19790 and national algorithm requirements), requiring that modules implement approved cryptographic algorithms such as ARIA, SEED, LEA, HIGHT, and Korean hash functions. It is a precondition for using a module in many Korean public systems.

How evaluations work under this scheme

Accredited Korean testing laboratories evaluate a submitted module against KCMVP criteria, verifying algorithm conformance, physical security (where applicable), self-tests, and key management. The NSR issues the validation certificate upon successful review. While KCMVP is conceptually comparable to FIPS 140-3 validation in the United States, the algorithms, thresholds, and administration are Korea-specific.

Notable product categories

• Software cryptographic libraries for enterprise applications
• Hardware security modules and cryptographic co-processors
• Smart card cryptographic firmware
• Mobile and embedded cryptographic modules for Korean public services

Relationship to CC baseline

KCMVP is not built on ISO/IEC 15408 — it targets cryptographic module validation rather than TOE security evaluation. Products may carry both a KCMVP validation (for the cryptographic module) and a KECS CC certificate (for a broader TOE that embeds the module). NenkinTracker treats KCMVP records as a distinct programme so cryptographic module status is visible alongside CC claims.

Where to find official records

• NIS English KCMVP overview (validated module information): https://eng.nis.go.kr/EAF/1_7_2_1.do
• NenkinTracker surfaces KCMVP validations alongside CC certifications for Korean products.

See also: Certification Schemes Overview, Glossary.